# ERROR: THESE PACKAGES DO NOT MATCH THE HASHES FROM THE REQUIREMENTS FILE. If you have updated the package versions, update the hashes in the requirements file. Otherwise, check that the requirements file is correct. The package has an incorrect hash: expected sha256=abc123... got sha256=def456... - **ID:** `pip/requirements-file-hash-mismatch-multiple` - **Domain:** pip - **Category:** data_error - **Error Code:** `ERROR` - **Verification:** ai_generated - **Fix Rate:** 90% ## Root Cause The hash recorded in the requirements file for a package does not match the hash of the downloaded wheel, indicating either a corrupted download, a man-in-the-middle attack, or an outdated requirements file. ## Version Compatibility | Version | Status | Introduced | Deprecated | |---------|--------|------------|------------| | pip 22.0 | active | — | — | | pip 22.3 | active | — | — | | pip 23.0 | active | — | — | | pip 23.2 | active | — | — | ## Workarounds 1. **Update the requirements file by regenerating hashes from a trusted source: pip hash == > new_hash.txt, then replace the hash in requirements.txt.** (90% success) ``` Update the requirements file by regenerating hashes from a trusted source: pip hash == > new_hash.txt, then replace the hash in requirements.txt. ``` 2. **Use a requirements file without hashes temporarily: pip install -r requirements.txt --no-hash-check, then verify the package integrity manually via PyPI or official source.** (85% success) ``` Use a requirements file without hashes temporarily: pip install -r requirements.txt --no-hash-check, then verify the package integrity manually via PyPI or official source. ``` 3. **Clear pip cache: pip cache purge, then retry with hash verification enabled.** (80% success) ``` Clear pip cache: pip cache purge, then retry with hash verification enabled. ``` ## Dead Ends - **** — Disables hash verification, leaving the system vulnerable to supply chain attacks; not a fix, just a bypass. (80% fail) - **** — If the mirror is also compromised or serving the same corrupted file, the hash will still mismatch. (60% fail) - **** — Blindly accepting the new hash defeats the purpose of hash checking; could install malicious code. (70% fail)